The current national estimated costs for data loss and recovery, as reported from the Data Restoration industry and the U.S. National Archives are at between 18 – 26 billion dollars annually.

Disaster! Today’s business world shudders at the word. With the current random occurrences of hurricanes, super storms, earthquakes, blizzards, fires, flooding and sustained power outages, it is a wonder how companies can recover to survive all of the natural or modern threats to their daily business operations and collection of business data. Today’s business world is dependent on the data created and stored for many aspects of daily operations: financial data; product specifications; designs; testing records; and quality management systems (QMS) data are only a few examples. Every business produces, consumes, utilizes, and reports data; the loss of access, complete loss, or corruption of data records can cost company revenue or even terminate a company’s existence. The current national estimated costs for data loss and recovery, as reported from the Data Restoration industry and the U.S. National Archives, are at between 18 – 26 billion dollars annually.

Disaster Recovery vs. Business Continuity

The cost alone should cause companies to plan for disasters but just what is disaster recovery? Disaster recovery is the act of restoring a system’s outage to full normal operation. It includes the identification of the incident, quarantine of the affected systems, risk review of potential losses vs. last known good status, and the restoration of the system to normal operations. Business continuity, on the other hand, is the overriding workarounds, procedures, processes, and planned actions necessary to maintain the business operations and flows during the outage, the recovery actions, and beyond.

It should be noted that as part a validated system, the procedures for the change control of the system, as well as a verified formal backup and recovery process, are a critical part of the overall implementation. The means controlling and rolling back any changes are a regulatory requirement to prevent a system and its data from becoming non-compliant or suspect. Periodic reviews of a system’s operation and usage are critical to monitor the “validated state” and maintain a system in a “known good” configuration. Disaster recovery (DRP) and business continuity plans (BCP) are key processes to ensure that the risks of an outage are understood and the criticality of any data loss and recovery operation is managed, allowing for continued business operations.

Data loss, access to data, and restoration of data systems are critical components of the company’s business processes. Whether it’s a small single user incident or a companywide outage, the loss of data can cripple projects, processes, or critical operations. Planning for outages is vital and may be accomplished by the creation of business continuity plans, disaster recovery plans and with the establishment of “known good” (tested) backup and recovery procedures.

At the key point of a system’s restoration to functional use, the company must assess the risks and plans required for recollection of any lost data, as well as the merging of the data collected by the workarounds and downtime processes during the outage. This is accomplished through the BCP, DRP, and associated backup and recovery processes.

Business Continuity Plans (BCP)

The BCP is an overall governing document to define the main strategies and critical operations needed to continue the business operations when an outage occurs.

The BCP maintains critical operations during outage events.

Defines the minimum critical requirements for operating conditions during times of unexpected outage.

Designed to mitigate potential loss and serve to minimize disruptions and financial impact during even minor events.

Defines the company’s strategies and processes to follow during outages.

Defines the critical timing for restoration of critical systems to support the business. (Maximum allowed downtime for a system before it will cripple operations).

Disaster Recovery (DR) /Disaster Recovery Plans (DRP)

These are Information Technologyfocused plans designed to restore the operability of the system, applications, or computer facilities, at an alternate site after a major and usually catastrophic event.

Concentrates on deploying technology, equipment used, writing scripts, and doing periodic tests or drills to practice recovery of systems after a disaster.

Defines the backup and recovery methods or processes used including but not limited to:

Offsite Recovery (Rebuilding a lost location)

Lost Server Room Recovery (Restoring a data center)

Lost Business Critical Operation

DR is necessary required action, but is not sufficient by itself. The BCP will define the critical risks and actions necessary to support continued business operations during and after the outage.

Backup and Recovery Processes

These are the Information Technology procedures and work instructions for performing the maintenance actions focused on the protection of a company’s intellectual data property and critical data records. They detail the operation of the company’s backup and restoration equipment, data storage, media rotation, offsite management, and backup image testing.

These processes are used in conjunction with the Disaster Recovery plan to restore a system to the last known good image.

Regulatory requirements define the backup process as critical for ensuring that changes to a validation system can be rolled back.

Data losses may still exist upon recovery operations and should be reviewed to determine any actions required as a part of the overall restoration process.

Incident Management

How a company plans and handles potential outage risks and performs recovery operations when outages can determine

Before the outage occurs:

Prior to a systems outage occurrence companies should perform a risk analysis of their critical computer systems and associated processes as a part of the business continuity plan. Key areas to review and ensure action on are:

Conclusion Today’s businesses collect and utilize data for almost every process and action performed on a day-to-day basis. Loss of access to that data can degrade, cripple, or halt business operations; this could cause risks to the company’s products, services, or in critical cases, even the company’s existence. Business continuity planning and risk assessments, disaster recovery plans with test drills, and data backup and recovery procedures will help a company ensure survivability in this dangerous world of disaster!

Bibliography

David M. Smith, P. (2003 and 2011). http://gbr.pepperdine.edu/2010/08/the-cost-of-lost-data/. Retrieved from Pepperdine University - Graziandio School of Business and Management: http://gbr.pepperdine.edu/2010/08/the-cost-of-lost-data/

Kroll Ontrack. (n.d.). Kroll Ontrack - Emergence of Business Continuity to Ensure Business and IT Operations. Retrieved from www.krollontrack.com: http://www.krollontrack.com/library/odrcontinuitywp_krollontrack2011.pdf

Technology on Premises. (n.d.). The Causes and Consequences of Data Loss to Small Business. Retrieved from www.topitservice.com: http://www.topitservice.com/content/causes-and-consequences-data-loss-small-business

Note: The views expressed in this article are those of the author and do not necessarily represent those of his or her employer, GxP Lifeline, its editor or MasterControl Inc.

Louis Rutledge, is a MasterControl expert with over two and half decades of experience in process engineering, document control implementation, software configuration management, computer systems / process validation and quality management systems. Since joining MasterControl in 2001, Rutledge has led software implementation and validation projects for more than 240 customers in the General Manufacturing, Medical Device, Blood & Biologics, and Pharma industries, in the United States, Canada, and United Kingdom. His expertise includes validation planning, protocol development, process and tool development and implementation. He is experienced in ISO 9001, ISO13485, TL9000, QS9000, 21CFR Parts 11, 210-211, 606, and 820, Q7A, ICH Annex 11, the Capability Model (CMM/CMMI) for Software Development, as well as ANSI, ICH, IEEE, and BABT specifications. Rutledge has a technical degree in electronics from the U.S. Navy and lead auditor certifications for ISO 9000 and TL9000 quality standards. He is an active member of the American Society for Quality, ISPE, and CMU SEI SEPG communities.

The QMS Provider for the FDA

MasterControl Inc. and its partner, i4DM, are expanding their FDA project, serving as the QMS providers for a second FDA division. The two companies have been the QMS providers for the FDA's Office of Regulatory Affairs since 2009. Now they will also serve as quality providers for the Division of Pharmaceutical Analysis, which is part of the FDA's Center for Drug Evaluation and Research.

Software Magazine ranks MasterControl 369 on its 2014 Software 500 list, a listing of the world's largest software and services providers. Now in its 32nd year, the Software 500 is a revenue-based ranking of vendor viability. Learn More